Crime Pays

Malvertising and ransomware were created decades ago, yet today we still read about devastating attacks that succeed. Originally created as separate attacks, criminals now use them hand-in-hand. Hackers continue to innovate: A multi-payload and ongoing malvertising campaign is distributing a newly discovered info-stealer as well as the GandCrab ransomware. The whole attack takes place in under a minute.[i] Using the Angler exploit kit, a malvertising campaign designed to spread ransomware claimed major news websites like the BBC and MSN as victims.[ii]  A major malvertising attack on, which put a significant number of the webpage’s 6.9 billion monthly visitors at risk, infected user’s machines with the CryptoWall ransomware.[iii] Since malvertising can appear on any advertisement on any site, even the ones you visit as part of your everyday Internet browsing, malvertising makes ransomware more effective.

It is alarming that attackers use malvertising and ransomware to form profitable, sustainable, and growing businesses.  Why did this happen?

  1. The attacks work
  2. There is no justice
  3. The barrier to entry and operation costs are low
  4. The attacks are profitable and scalable

Security professionals know ransomware is insidious, relentlessly using social engineering attacks until it tricks one user into clicking a phishing link or opening a file attachment. Since it only takes one click to succeed, attackers know it’s only a matter of time before they will succeed.

Malvertising makes it easier for ransomware to take hold of an endpoint.  Using drive-by downloads, malvertising attacks don’t even have to trick the target user into clicking on a malicious link; the ad runs automatically and downloads the ransomware from the iframe.  Malvertising does not exploit any vulnerabilities on the website or the host server. Infections delivered through malvertising silently travel through web page advertisements.[iv]

The chances of bringing attackers to justice are near nil.  Ransoms paid in cryptocurrency are traceless and anonymous. Malvertising groups create networks of fake companies that buy ads on legitimate sites, which they later modify to load malicious code.  Jurisdictions are unclear when attacker and victim are on opposite sides of an international border.

The barrier to entry is low. To keep the cost of operations small, attackers use the same tools and cloud services as their victims. No coding expertise is required, use Ransomware-as-a-Service (RaaS).

What is the scope of the problem?

It’s getting worse.  In April 2020, cyber-security firm Confiant learned Tag Barnackle, a malvertising group, had breached 60 ad servers to load their malicious ads. The attack appears to have been running for at least nine months, since August 2019. Why buy legitimate ad slots to deliver malvertising when you can just hack the server instead?  The group has managed to load its malicious ads on thousands of sites, with the malicious ads being broadcast to other ad companies thanks to RTB (real-time bidding) integrations between services. The result is an increase of 1.25 million affected ad impressions in a single day.[v]

Cunning criminals play the long game, focusing ransomware attacks on those organizations, like hospitals and other health care providers, that make perfect targets, since there’s life-or-death urgency in getting back up and running quickly.[vi] It’s unfortunate that attackers have a proven model to use malvertising and ransomware to create profitable, sustainable, and growing businesses.

To learn more, read Prevention is the best Ransomware Protection for 2020







John Klassen

Sr. Director - Product Marketing